nifi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Clarke <matt.clarke....@gmail.com>
Subject Re: https connection fails with ERR_CONNECTION_CLOSED
Date Fri, 13 Nov 2015 12:57:07 GMT
     NIFi does not allow multiple users to make changes to the graph at the
same time.  Securing your NiFi (while a very good thing to do) does not
change this behavior. This is a feature that we are looking to support at
some point in the future. I do not have a time table for when that will
occur.

     That being said, you are receiving ERR_CONNECTION_CLOSED because you
do not have a user certificate loaded in your browser  to pass to your
secured NiFi instance.  Every user who wants to access a PKI enabled NiFi
will need to have a certificate issued to them.  Those user certificates
will either need to be signed by a certificate Authority (CA) that is also
loaded in your NiFi's truststore or ever user's self-signed certificate
will need to be included in the trustore

     The keystore and truststore are two different keystores in NiFi.  The
keystore will contain the certificate for your server running your instance
of NiFi.  It is typically signed by a CA rather then being self-signed.
The truststore typically includes the certificate for one or more CAs, but
in the case of self-signed server and user certificates, the truststore
would need to include them as well.

     There is a free service you can use on the web that allows you to
create your own CA and sign multiple keys with it (user and server keys).

https://www.tinycert.org/

     After creating your CA, you will need to create both a server keys and
user keys that at the same site.  Users will load their key in to their web
browser and the server key will be loaded as your NiFi keystore.  Take the
CA key and load it in to your trustsore.  Accessing the HTTPS UI of NiFi
requires two-way SSL authentication. your browser passes your key to NiFi,
NiFi checks to see if it is signed by someone it trusts, NiFi passes it's
server key back to your browser to do the same.  It is not necessary to
load the CA into your browser because your browser will tell you it is not
trusted and give you the option to continue anyway.

     Their is one more step that is required in NiFi. The users CN from
user's certificate for the first user accessing NiFi, will need to be
manually added to the authorized-users.xml file found in the conf directory
of your NiFi installation. That user will need to be granted at a minimum
the "admin" role.  Users with Admin role have the ability to access the UI
and change and grant other users the various access levels.  Subsequent
users who access the UI and a matching CN is not found, will be prompted to
request access.  The existing Admin user will be able to add their levels
of access via the UI.

    We understand that this highly secure method of authentication in to a
NiFi instance is complicated, so in the next release we are adding support
for authentication via username and password.

Hope this helps,
Matt


On Fri, Nov 13, 2015 at 4:35 AM, veeresh <veereshsy05@gmail.com> wrote:

> Hi All
> I have installed nifi on Hortonworks cluster in Azure cloud. Everting works
> just fine with non-secured mode (http). In this mode  multiple users cannot
> work on different templates. I followed the documentation
> (
> https://nifi.apache.org/docs/nifi-docs/html/administration-guide.html#security-configuration
> ).
>
> Question: For multiple users to work on different templates is it mandatory
> to enable https connection enabled?
>
> Referring to (http://wiki.eclipse.org/Jetty/Howto/Configure_SSL) I have
> created keystore and trust store.
> My security setting of  nifi.properties file look as below.
>
> nifi.security.keystore=/home/hortonhdp/nifi-0.3.0/keystore
> nifi.security.keystoreType=JKS
> nifi.security.keystorePasswd=nifi123
> nifi.security.keyPasswd=nifi123
> nifi.security.truststore=/home/hortonhdp/nifi-0.3.0/keystore
> nifi.security.truststoreType=JKS
> nifi.security.truststorePasswd=nifi123
> nifi.security.needClientAuth=true
> nifi.security.user.credential.cache.duration=24 hours
> nifi.security.user.authority.provider=file-provider
> nifi.security.support.new.account.requests=
> nifi.security.ocsp.responder.url=
> nifi.security.ocsp.responder.certificate=
>
> From the browser I get ERR_CONNECTION_CLOSED error. When I try to connect
> to
> nifi using curl locally on the server itself. I get below error
>
> curl --verbose  --insecure  https://sandbox.hortonworks.com:8089/nifi
> * About to connect() to sandbox.hortonworks.com port 8089 (#0)
> *   Trying 10.0.0.4... connected
> * Connected to sandbox.hortonworks.com (10.0.0.4) port 8089 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * warning: ignoring value of ssl.verifyhost
> * skipping SSL peer certificate verification
> * NSS: client certificate not found (nickname not specified)
> * NSS error -5938
> * Closing connection #0
> curl: (35) NSS: client certificate not found (nickname not specified)
>
> Also enabled DEBUG mode in logback.xml to see any issue. But I don’t see
> any
> errors related to jetty security.
>
> Is there a clear documentation on how to generate the keystore/truststore.
> Is secured connections (https) tested on cloud/Azure. How can I enable
> multiple users to access nifi without https mode?
>
> Thanks in advance
>
>
>
>
>
>
> --
> View this message in context:
> http://apache-nifi-developer-list.39713.n7.nabble.com/https-connection-fails-with-ERR-CONNECTION-CLOSED-tp4833.html
> Sent from the Apache NiFi Developer List mailing list archive at
> Nabble.com.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message